views:

49

answers:

3

I am looking at the possibility of running a PHP-based website (built in symfony) from an encrypted partition on a LAMP server. The reason for this is because a client would have access to the server but I don't want them to see the source code behind the php website.

I am open to other solutions if this is not possible. For example, possibly running the site from a virtual machine instance that cant be accessed easily.

I am not a big fan of simply obfuscating the code because, according to other posts, it can be easily reversed.

Is it possible to run a PHP app within an environment which is not human-accessible/readable?

+2  A: 

If the enemy has physical access to the machine, you've already lost; it's certainly possible for them to get the source code. Encryption inside a virtual machine might make it a little more difficult, but they can always dump the memory, then use techniques described by J. Halderman et al to extract the keys. And ff it's just an encrypted partition (no VM), it'll be mounted and easily accessible. So no, unless you control the physical machine, you can't secure it from attacks by the machine's administrator, regardless of whether it's encrypted.

bdonlan
Makes a lot of sense. In my situation the client would get physical access to the machine, however I understand there are always security holes such as this. I wasn't really looking for a bulletproof solution, more of an obstacle big enough to shy away those who aren't that determined.
JB Lesage
+2  A: 

I don't see how an encrypted partition will help here, as the web server will need access to it, and somebody with access to the machine will know how to use that.

A virtual machine will probably be the easiest thing to secure, because you can serve web pages, but restrict filesystem / RDP access to it.

There are also reliable obfuscation/pre-compilation solutions on the market. With the latter, you can distribute bytecode that is also speed optimized, which is an argument to present to the client.

Pekka
Good points, and that is interesting about the obfuscation/pre-compilation... I guess I will have to look into how to create that php bytecode in the first place for distribution. Do you know of any methods off hand?
JB Lesage
http://stackoverflow.com/questions/470409/can-i-encrypt-php-source-or-compile-it-so-others-cant-see-it-and-how
Pekka
thank you, I'll be sure to go over that list.
JB Lesage
+1  A: 

The reason for this is because a client would have access to the server but I don't want them to see the source code behind the php website.

Rubbish. How will you run a web-site having source code completely hidden? Apache needs it uncovered to process with PHP in order for your website to work.

FractalizeR
Fair enough, I didn't actually know if it were possible. Thanks!
JB Lesage